Data breach: Marriott faces lawsuit in London

By Rahul Vaimal, Associate Editor
  • Follow author on
Marriott Image
Representational Image

Marriott International, the largest hotel operator in the world, is facing a lawsuit in London brought by millions of former hotel guests seeking compensation after their personal data has been hacked into in one of the biggest data breaches in history.

Martin Bryant, founder of technology and media consultancy Big Revolution, is leading the argument for the guests after more than 300 million customer records were hacked between 2014 and 2018 from Marriott’s global database.

“I hope this case will raise awareness of the value of our personal data, result in fair compensation and also serve notice to other data owners that they must hold our data responsibly,” he said in a statement.

What happened?

On September 8, 2018, an internal monitoring tool found a suspicious attempt to access Marriott’s Starwood brands’ internal guest reservation database, which includes the hotels Westin, Sheraton, St. Regis and W.

The suspicion sparked an internal inquiry that concluded that the Starwood network had been compromised sometime in 2014 — back when Starwood was a separate company.

Marriott had purchased Starwood hotels in 2016.

The investigation found that the hackers managed to decrypt data that included information of up to 500 million guest records. Many of the documents contained highly confidential details such as credit card number and passport number.

Realizing the severity of the situation, Marriott issued a statement where its Chief Executive Arne Sorenson said at the time, “We fell short of what our guests deserve.”

The case, which seeks unspecified damages for loss of ownership of personal data, also covers guests who made a reservation in any one of the former Starwood brand hotels – including Sheraton Hotels & Resorts and St. Regis hotels – before 10th September 2018.

Marriott had incurred $28 million in breach-related costs as of March 2019. But a much tougher blow fell on the organization in July of 2019. The UK Information Commissioner’s Office (ICO) has imposed a fine of more than $120 million — for breaching the privacy rights of British citizens under the GDPR.

The General Data Protection Regulation (GDPR) is a regulation in the EU (European Union) law on data protection and privacy of the people in the region.